Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback. 

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The following is a screen shot of the detected code injection:

a

                                                                  (click on the picture to enlarge)

In the screen shot, we can see the similarities between this injection and the INSS injection we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507, as shown below:

                                                                 (click on the picture to enlarge)

Once the exploit is successful, a file download is initiated for an executable from this URL: "hxxxp://www.48groupclub.org/images/uploads/image/sethc.exe" - MD5 : 3EC4DE9EF2E158473208842F4631236A

Further analysis shows that when the "sethc.exe" file is executed on the compromised system, it creates a new binary file in the Windows system directory: C:\Program Files\...... 

The ruse appears credible because the executable file has been signed by a "valid" certificate authority (CA), as shown below:

Through further research we learn that this certificate has been in use for a while and does not appear to have been revoked at the time of this latest exploit activity.

Analyzing this low AV detected binary file, we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT, which is used mainly in targeted attacks to gain complete control of infected systems. With this control, the remote administrator has access to a user's files, email, passwords, and other sensitive personal information. Following is the initial network capture with Wireshark between a compromised system and the remote administration center, which reveals the header information of the traffic (pay particular attention to the starting keyword "gh0st"), confirming the use of Gh0st RAT:

                                                     (clieck on the picture to enlarge)

The Remote Administration Center commands to the compromised system originate from this address: shell.xhhow4.com. At the time of this writing, the address is still active.

[Update]

Websense® ThreatSeeker® Network detected that the Amnesty International Hong Kong sister website was also compromised to serve Gh0st RAT over the weekend, and the malicious codes are still live and active. Below are some of the pages infected redirecting to the exploits. Websense Security Labs will continue to monitor and update any new changes to this attack.

Last May 2011, we conducted an analysis of Canada’s cyber security risk profile, which led to the discovery of a disturbing trend. Canada had become the newest breeding ground of cybercriminal activity.

In the hopes that things would get better, we conducted an exact comparison of the same cybersecurity stats one year later. And we were even more disturbed to see that in Q1 2012, hackers are still taking advantage of Canada’s “squeaky clean” cyber reputation and remotely controlling Canadian servers to carry out their criminal attacks.

Across the board, we’re seeing all types of malicious content coming out of the Great White North. For example:

• 170% Jump in Hosted Phishing Sites - Canada ranks #2 in the world for hosted phishing sites, jumping 170 percent in the last year. This is a significant increase and the country ranks ahead of some of the best known offenders like Egypt and Russia.
• 39% Increase in Bot Networks - Cybercriminals’ command and control centers are finding that Canadians make great hosts. In the past year, Canada saw a 39 percent increase in bot network activity.
• 239% Increase in Malicious Websites - The number of malicious URLs is also on the rise in Canada. Canadian computer users beware, Canada saw a 239 percent jump in malicious Canadian websites.

The bottom line is that things are getting worse, and it’s a worldwide trend. As we’ve stated in our 2012 Threat Report, in the past year alone, there has been a major increase in malicious sites and exploit kits and people are getting increasingly redirected to bad sites.

What’s going on in Canada is testament to the continuation of a very bad trend. In the past, malicious content has traditionally been hosted on servers in places like Europe. But, now the bad guys are shifting their infrastructures to sites that are hosted in countries that traditionally have had better reputations.

Even after last year’s discovery, we still have not seen any big takedowns of malicious sites in Canada. In fact, malicious sites seem to stay up longer than in other countries. The public and private sector need to work together to effectively make this happen. The question is, will they finally be able to do so moving forward?

Here's a map that shows the top countries hosting phishing sites for the first part of this year. You can clearly see that Canada now holds the number two position for hosting this type of malicious content.

There has been a lot of talk lately about Pinterest, the "virtual pinboard" that allows you to "organize and share all the beautiful things you find on the web."

Pinterest uses online social networking to extend the ways you can share your images. Its mission statement reads:  "Our goal is to connect everyone in the world through the 'things' they find interesting. We think that a favorite book, toy, or recipe can reveal a common link between two people. With millions of new pins added every week, Pinterest is connecting people all over the world based on shared tastes and interests."

How does it work?

Currently, the site is available by invitation only, but it’s quite easy to request an invitation either directly from the site or from a friend who’s already using it. Once you’re in, you create “pins”: images you want to post, including videos, along with any text captions you care to add. The “Pin It” button can be added to Firefox or your iPhone, allowing you to grab images anytime and anywhere.  It also adds a link to the source, automatically crediting the author and, presumably, avoiding copyright issues, which have sparked a lot of discussion.*

A collection of pins is called a “board,” which usually focuses on a theme or interest. By displaying images in a thematic board, Pinterest creates a visual collage which provides context and relationships for images in ways other social media sites do not.

It is precisely the social media elements that seem to be fueling Pinterest’s popularity.  Users can search pins, boards, or people. They can “like” other people’s pins, post comments, repin the images to their own boards, and even share them via Facebook and Twitter links, or via embedding in a blog or email. They can follow other users, see activity streams, and click through to the source of an image for more information, or to make a purchase. Collaboration with Flickr was just announced, which enables sharing in the user's Flickr account.

 Who uses it?

The number of unique visitors per month to Pinterest has jumped in just under one year from less than half a million to well over 18 million. Most (68.6%) are in the US, but all parts of the world are represented—and growing. Users tend to spend quite a bit of time on the site: more than 15 minutes per day, which is over 50% more than Twitter.

This explosion has created a huge buzz around the site, and at Websense we’ve learned that sites which attract lots of users also tend to attract lots of security concerns.

What could possibly go wrong?

Any site that attracts a lot of users and attention inevitably becomes a target for hackers and spammers. Spam and other types of objectionable content can be reported to Pinterest with the click of a button, which suggests the site relies on its users to spot problems and flag them for review. Malicious image files—where embedded malware is hidden in an image file—can be a particular threat on an image-based platform.

A while back we wrote a blog about inexpensive application toolkits on Facebook. This time around, it's Pinterest's turn.

Here are a few examples of  spamming toolkits that automatically generate massive amounts of traffic on a spammer's Pinterest account.  Tools may be purchased individually or in packages, and prices range from about $25 to almost $2000 depending on the number and functionality desired.

One tool creates automatic "likes" for pins, and sends an email to the pin creator saying you liked it, along with a link to your profile.

Another tool finds the most popular pins and re-submits them into the same board name and category on the spammer's account.

Websense researchers found many similar tools for sale, all of which generate unnatural traffic to the spammer's account in order to increase the popularity of a site or brand.  Of course, Pinterest may notice or be informed of the unusual traffic and block the account. A bigger risk is that spamming tools may actually contain viruses, malware, or other threats, making the would-be hacker into a hacking target. 

Pinterest was recently the target of injected JavaScript code (possibly created by such spamming tools) that changed many pins into ads. A recent Pinterest blog post about spam on the platform generated a fair number of user responses about fake followers and spam (comments are now closed). And the site is reportedly using CAPTCHA, at least on some accounts, to ensure that users are human beings.

Regardless of how Pinterest evolves, you can be sure that Websense will stay on top of any security risks, helping you use social media safely.

While researching outbound malware communications to improve detections for our products, we recently made an interesting discovery. Thousands of samples running in our malware lab reached out to the URL promos.fling.com/geo/txt/city.php. At first we suspected this to be a command and control (C&C) server of botnet malware. However,  Websense® categorization of the main Web page of the domain fling.com returned Adult, and visiting the page certainly confirmed this:

The self-proclaimed "Hottest Place to Hook Up" suggested that we sign up to "Meet the Hottest Members in San Diego" (the location of the US Websense® Security Labs™). This is where the originally discovered URL promos.fling.com/geo/txt/city.php comes into play. Directly visiting the URL results in JavaScript code to print the geolocation of the visitor:

So how is this unsecured geolocation service used by the malware? Using the network tool Wireshark to look at the malware network traffic contacting this service, we can see that more information is disclosed:

In this example our malware sandbox was connected to the Internet through a proxy service in Canada. Apart from the JavaScript payload there are several HTTP cookies sent in the response header specifying the country, state, city, latitude and longitude. Our analysis systems identified other likely C&C connections in the outbound connections of the malware samples in question. Interestingly, these connections try to hide the malicious HTTP using a forged user-agent string:

Looking at the geolocation service abused by the malware we can make the connection that the 'CA' part (country code for Canada) in this user-agent is used to disclose the geolocation of the infected machine to the botnet server. This information can be used by the botmaster for statistics or to give different commands to infected machines in certain countries.

As of the time of writing this blog post, a total of 4,775 samples that ran in our malware lab show connections to the adult geolocation service in question. Websense customers are protected against known variants of this malware; we also have real-time coverage in place for the traffic between the malware and the C&C servers.

The Websense® ThreatSeeker® Network has detected that the Institute for National Security Studies (INSS) website in Israel was injected with malicious code. INSS is described in its website as an independent academic institute that studies key issues relating to Israel's national security and Middle East affairs.

While we can't determine that the infection of this website with exploit code is part of a targeted attack, one could deduce that visitors to this type of site are likely to have an interest in national security or are occupied in this field. The website appears to be injected with malicious code for over a week now. (Websense' ACE provided protection against the type of injected malicious code since early 2009)

One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago.

It's also worth noting that in the last few months, Israeli websites have been under continuous cyber-based threats and attacks. We don't think that this latest infection is part of an organized mass infection campaign but is probably just part of that trend. We continue to look for additional websites leading to the exploit website.

We have contacted the Webmaster of the website and notified them on the issue and the location of the injected code on the website, so far, we haven't heard back from them.

Websense customers are protected proactively from these threats by ACE, our Advanced Classification Engine.

Here's how this exploit works: if users visit the home page of the INSS website, the injected malicious Javascript code loads a Java exploiter. The injected code shown below consists of a "document.write" function call that uses decimal-encoded string characters to hide the exploit URL. Once decoded, the destination page may be retrieved. This means that users are silently redirected to the exploit page while their browser loads the website's home page:

The obfuscated injected content on the INSS home page looks like this:

Here's the decoded content:

And the content of the out.htm web page:

By merely looking at the code snippet above, we can see that the applet class's name suggests its intentions: "msf.x.Exploit.class." After further investigation, we detected that "test.jar" holds the exploit of the well-known Java vulnerability CVE-2012-0507. The inner workings of the "test.jar" file reveal that it contains a rather large compressed text file called "abc.txt" that is filled with a huge number of "a" characters. Once decompressed, the file size is about 104 MB. We think that this is a technique that attempts to evade automated malware analysis technologies, since some of those systems typically avoid downloading the contents of big files, because malware tends to be small in size.

From analyzing the contents of the Jar file, it was evident that it was generated by the Metasploit toolkit, which, as we mentioned, holds the vulnerability CVE-2012-0507:

The binary associated with the exploit, "svchost.exe" (MD5: 52aa791a524b61b129344f10b4712f52), is automatically installed on the victim's computer if followed by a successful Java exploiting attempt. "svchost.exe" is a variant of Poison Ivy, a remote administration tool (RAT) that can be used, as its name suggests, to control a computer remotely. The tool is robust and mature and may be used for legitimate purposes, but is also widely used for malicious purposes. Once Poison Ivy installs on the system it connects to a Dynamic DNS command and control address at: ids.ns01.us

Last week, Websense® Security Labs™ team members attended the Infosec2012 conference at Earls Court in London. It was quite busy and exciting for us, as we assisted Sales Engineers and Sales teams to work with customers at the Websense booth. We also attended workshops and chapter meetings for (ISC)² (International Information Systems Security Certification Consortium) and ISACA (Information Systems Audit and Control Association).

The Infosec conference presents high-level security information, such as security product demonstrations, rather than technical talks on topics like exploits and vulnerabilities. So we expected to hear presentations and general discussions about enterprise security and issues of concern to our customers.

Topics receiving the most attention at Infosec were: Mobile Security (MDM and BYOD), Big Data, APT (advanced persistent threat) and AET (advanced evasion technique), and SIEM (security information and event management).

Some vendors presented anti-DDOS (distributed denial of service) solutions, hardware destruction options, and network mapping tools.

Several booths were represented by universities and information security certification organizations like (ISC)² and ISACA.

Mobile security is a hot topic at the moment. Most everyone in the private and public sectors is about to or has already implemented MDM (mobile device management) or other mobile security solutions. However, the main concern is not with the individual devices but with enterprise data protection. Companies are concerned about the BYOD (bring your own device) trend, so when employees access a company’s data with their own phones or tablets, the company can protect its sensitive data. It is important to remember that these mobile devices are also entertainment devices that employees may share with friends and family members. Some conference talks included discussions of data separation, so that when a device needs to be wiped, personal data is retained while company data is secured.

APT and AET were also popular topics at the conference. The IT professionals' primary concerns were related to the response from security vendors in the event of a data breach or a sensitive data/information leakage due to APTs and AETs. Companies are aware of the potential risks of these types of threats, but in many cases companies may not have a good idea of the details of an attack. Follow-up contact and in-depth analysis by security vendors is needed. Using a detailed analysis of an attack from a security vendor, a company can protect against future threats by taking a layered approach to secure its assets and vital information. As a result, companies will have more trust in security vendors.

Email messages are still a main entry point for APT attacks, especially those using social engineering tactics and phishing attacks that target specific companies.

Some APT attacks are done with well-known penetration testing tools. Deploying protection against those tools can prevent these types of attacks.

Conference attendees also expressed interest in what was defined as a “security intelligence network,” which would permit close cooperation among vendors to forecast, prevent, and track various types of attacks.

Most conference booths had sales engineers, sales people, and marketing personnel to generate leads. However, a few participants (like Websense) included their security lab professionals. Some talks presented at the booths included demonstrations of how URLs can be injected, deobfuscation of JavaScript, penetration testing, what’s behind credential-stealing trojans, and the analysis and display of parts of exploit kits.

Thanks to the Infosec2012 organizers for a great conference in a great place!

Websense Security Labs will continue its focus on security threat research and defense technology innovations.

The following researchers attended Infosec2012 and provided feedback for this blog:
Amon Sanniez, Tamas Rudnai, Artem Gololobov, Gianluca Giuliani.
Be sure to follow us at WebsenseSecurityLabs!

The Websense® ThreatSeeker® Network has detected a wave of phishing campaigns spreading on the Chinese social network "Sina Weibo". Sina Weibo is a Chinese microblog website, like a hybrid of Twitter and Facebook, that has more than 300 million registered users as of February 2012.

The attacker uses compromised accounts to spread phishing messages. The compromised accounts are set up to forward and comment every single microblog they are following. These forwarded messages also get posted on the account's own wall, so the same phishing message reaches both followees and followers. The phishing message is a notification that the user has won a prize, and a link redirects the user to a phishing site via a shortened URL.

Several phishing messages are used to spread the campaign. The templates have only minor wording differences and add a random tag after the shortened URL. The example of the phishing message shown above has been forwarded more than 3 million times, a number that is growing rapidly.

The phishing sites pretend to be award sites sponsored by SINA Corporation, the owner of Sina Weibo. Visitors are notified that in order to claim their valuable prize, the "winner" must pay a portion of the prize's tax. The "tax" is then paid to phisher. The sites also ask for personal information, such as name, portal address, and account number.

Internet users often register for multiple online accounts using the same information, including login credentials. In December 2011, a previous blog described a huge data breach in China, in which attackers easily reused leaked credentials to gain access and control of other accounts. Websense recommends that weibo users reset their login details if suspicious posts and content appear.

Websense customers are protected from these threats by ACE, our Advanced Classification Engine. 

The recent advent of flashback malware that includes exploit code for CVE-2012-0507 has been creating waves and quickly adopted by various other attackers as Websense® Security Labs™ has shown. This blog post detail some of the aspects of CVE-2012-0507 and how this exploit has been used in the wild.

The Java code first starts with the excerpt below:

The string "sobj" contains a stream of characters that trigger the vulnerability and force Java to render something which it usually wouldn't be allowed to. The string "8BCA ..." is obfuscated with an XOR key of 0x27 shown below:

After this string is de-obfuscated, it looks something like the image below:

We compared the exploit code used in the flashback campaign (above) with another instance in the wild that surfaced recently. Apparently, the attacker is using the exploit code provided by the metasploit framework.

The only difference between the flashback exploit code and the one used by metasploit is the bytecode array, where one is a signed byte array while the other is unsigned, as revealed below:

In our flashback sample, the string that triggers the vulnerability is "XOR-ed" with 0x27, while the string seen in the metasploit sample uses a signed byte array.

Lastly, the payload used by the flashback malware is a dropped Mach-O binary executable, while the metasploit exploit opens a listening TCP port shell pipe depending on what operating system the victim is on (This highlights the beauty of a design flaw as opposed to a vulnerability that corrupts memory). The code excerpt is shown below:

 Websense security solutions protect users from these kinds of exploits.

We in Websense® Security Labs™ have been following the developments of the Flashback trojan for Mac that has infected over 600,000 Apple computers worldwide. The number of infected computers seems to be dropping steadily now and will continue to do so as Apple yesterday released a removal tool as part of their Software Update:

We recommend that all Apple users install this software update as soon as possible.

Flashback itself has been around since last year, but the number of infections really increased after it was used in drive-by download attacks using CVE-2012-0507, a vulnerability in Java. This marks the first time that Mac users are under the same threat that Windows users have been for years; it's enough to visit a website to get compromised.

Websense customers are protected against all known variants of the Flashback trojan, and we also have real-time coverage in place for the traffic between the malware and the command and control servers. And that's the benefit of having a gateway product that can inspect content in real time: Data is data, regardless of what the endpoint is (Windows, OS X, iOS, Android, etc.).

Many anti-virus vendors have reported on and dissected the suspicious and malicious Android "GoldDream" malware threat. The C&C server (lebar.gicp.net), which hosts this malware, has been revealed in many articles. But, to our surprise, this C&C server is still alive after several months and is still serving users with "GoldDream" malware. Currently, only Websense® ThreatSeeker® Network has blocked the malware server sites, out of the 19 vendors listed by VirusTotal! 

The malware site mainly targets users in China, masquerading as a normal Android apps distribution site. The site makes use of a fake certificate and registration information to lure more customers, and is placed at the bottom of the listed app sites in a bid to advertise itself as a good reputation site.

We have analyzed all the available free Android apps on the site (23 in total). 18 of these apps contain "GoldDream" malware. These are normal game apps which are re-packaged to include malicious code. Although we have not analysed the paid apps, we believe they are highly suspicious. These "GoldDream" malware apps have the following malicious behaviors:

• calling a phone number
• sending an SMS
• deleting a package on the device
• installing a package on the device
• uploading person information to the remote web server
• log user's activity and uploading to the remote web server

We strongly suggest that users refrain from downloading and installing apps from untrusted 3rd party sources. And, if you need to, please scan the app before you install it.

Websense customers are protected from these threats by ACETM, our Advanced Classification Engine. Additional mobile security features are available from our Mobile Security Solution.